Why Web applications are at High Risk

Holz, Marechal, and Raynal observe, "From an attacker's viewpoint, a Web application is an interesting target for several reasons. First, the quality of the source code as related to security is often rather poor, as numerous bug reports show... Another factor is the applications' complex setup" [Holz06]. Many different vulnerabilities have been discovered in web applications, leading SANS to include web applications as the number one cross-platform attack target in their 2006 survey: "Applications such as Content Management Systems (CMS), Wikis, Portals, Bulletin Boards, and discussion forums are being used by small and large organizations. Every week hundreds of vulnerabilities are being reported in these web applications, and are being actively exploited. The number of attempted attacks every day for some of the large web hosting farms range from hundreds of thousands to even millions."

Below we give the exploits we have seen against our honeypots and where possible an estimate of the number of users for each piece of software. The estimates are obtained by checking the number of Google search results returned for a given page in a website, for example searching for '"powered by PHPBB" inurl:viewtopic.php' suggests there are around 1.5 million installations of PHPBB indexed by Google.

Because typical web applications are relatively immature code in terms of software life-cycle, a large number of vulnerabilities are regularly being discovered. This problem is exacerbated by the number of protocols in use by web applications - HTTP or HTTPS, XMLRPC and SOAP to name a few and the relatively unconstrained nature of the user interface. For example, a web form may be designed to accept certain parameters of particular sizes, but an attacker may exploit the application by posting arbitrary content to the form making use of failures in parsing and validation of the data to compromise the service. Some types of common PHP application vulnerabilities enable the attacker to include their own code in the targeted web application, a type of attack known as local or remote code inclusion.

Many of the languages that web applications that are written in -such as Perl and PHP - are relatively powerful and offer facilities to execute operating system commands and powerful database integration. They may also enable the program to interact with third-party applications such as email agents. Over recent years, much research has been performed on vulnerabilities in networking protocols and much effort has gone into design of firewalls and other mitigation mechanisms. In contrast, web applications are by nature open to a global audience and so may be extremely easy to find with the aid of search engines. Moreover, web applications have not had the same scrutiny that older applications and protocols have received. Attacks may also be written in a combination of a scripting language and shell commands, which are easier to develop than the machine language code needed to exploit most buffer-overflow problems.

It is plausible that web servers are generally of high value to attackers. Many automated attacks that we have observed have been designed with Linux in mind, though some of the Perl code they include also runs on other varieties of UNIX. We expect that a server installation will typically have a faster connection to the Internet than a home user's installation do; therefore it is plausible that by exploiting Linux web servers an attacker will gain control of a relatively high-value machine compared with attacks targeting a home user's computer. Web applications will usually have to interact with databases, such as lists of customers and their email addresses, or financial information. Another reason attackers may choose to target web applications is as part of a strategy for gaining access to these databases. In summary, because web applications are globally visible, vulnerable hosts are very easy to find via search engines and exploits are relatively easy to develop, they present a large and attractive surface area for attackers. They may also provide a stepping stone into more sensitive parts of the victim's network.